[pve-access-control.git] / PVE / API2 / AccessControl.pm

package PVE::API2::AccessControl;

use strict;
use warnings;

use JSON;
use MIME::Base64;

use PVE::Exception qw(raise raise_perm_exc);
use PVE::SafeSyslog;
use PVE::RPCEnvironment;
use PVE::Cluster qw(cfs_read_file);
use PVE::Corosync;
use PVE::RESTHandler;
use PVE::AccessControl;
use PVE::JSONSchema qw(get_standard_option);
use PVE::API2::Domains;
use PVE::API2::User;
use PVE::API2::Group;
use PVE::API2::Role;
use PVE::API2::ACL;

my $u2f_available = 0;
eval {
    require PVE::U2F;
    $u2f_available = 1;
};

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::User",  
    path => 'users',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Group",  
    path => 'groups',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Role",  
    path => 'roles',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::ACL",  
    path => 'acl',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Domains",  
    path => 'domains',
});

__PACKAGE__->register_method ({
    name => 'index', 
    path => '', 
    method => 'GET',
    description => "Directory index.",
    permissions => { 
	user => 'all',
    },
    parameters => {
    	additionalProperties => 0,
	properties => {},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		subdir => { type => 'string' },
	    },
	},
	links => [ { rel => 'child', href => "{subdir}" } ],
    },
    code => sub {
	my ($param) = @_;
    
	my $res = [];

	my $ma = __PACKAGE__->method_attributes();

	foreach my $info (@$ma) {
	    next if !$info->{subclass};

	    my $subpath = $info->{match_re}->[0];

	    push @$res, { subdir => $subpath };
	}

	push @$res, { subdir => 'ticket' };
	push @$res, { subdir => 'password' };

	return $res;
    }});


my $verify_auth = sub {
    my ($rpcenv, $username, $pw_or_ticket, $otp, $path, $privs) = @_;

    my $normpath = PVE::AccessControl::normalize_path($path);

    my $ticketuser;
    if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&
	($ticketuser eq $username)) {
	# valid ticket
    } elsif (PVE::AccessControl::verify_vnc_ticket($pw_or_ticket, $username, $normpath, 1)) {
	# valid vnc ticket
    } else {
	$username = PVE::AccessControl::authenticate_user($username, $pw_or_ticket, $otp);
    }

    my $privlist = [ PVE::Tools::split_list($privs) ];
    if (!($normpath && scalar(@$privlist) && $rpcenv->check($username, $normpath, $privlist))) {
	die "no permission ($path, $privs)\n";
    }

    return { username => $username };
};

my $create_ticket = sub {
    my ($rpcenv, $username, $pw_or_ticket, $otp) = @_;

    my ($ticketuser, $u2fdata);
    if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&
	($ticketuser eq 'root@pam' || $ticketuser eq $username)) {
	# valid ticket. Note: root@pam can create tickets for other users
    } else {
	($username, $u2fdata) = PVE::AccessControl::authenticate_user($username, $pw_or_ticket, $otp);
    }

    my %extra;
    my $ticket_data = $username;
    if (defined($u2fdata)) {
	my $u2f = get_u2f_instance($rpcenv, $u2fdata->@{qw(publicKey keyHandle)});
	my $challenge = $u2f->auth_challenge()
	    or die "failed to get u2f challenge\n";
	$challenge = decode_json($challenge);
	$extra{U2FChallenge} = $challenge;
	$ticket_data = "u2f!$username!$challenge->{challenge}";
    }

    my $ticket = PVE::AccessControl::assemble_ticket($ticket_data);
    my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);

    return {
	ticket => $ticket,
	username => $username,
	CSRFPreventionToken => $csrftoken,
	%extra,
    };
};

my $compute_api_permission = sub {
    my ($rpcenv, $authuser) = @_;

    my $usercfg = $rpcenv->{user_cfg};

    my $res = {};
    my $priv_re_map = {
	vms => qr/VM\.|Permissions\.Modify/,
	access => qr/(User|Group)\.|Permissions\.Modify/,
	storage => qr/Datastore\.|Permissions\.Modify/,
	nodes => qr/Sys\.|Permissions\.Modify/,
	dc => qr/Sys\.Audit/,
    };
    map { $res->{$_} = {} } keys %$priv_re_map;

    my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage'];

    my $checked_paths = {};
    foreach my $path (@$required_paths, keys %{$usercfg->{acl}}) {
	next if $checked_paths->{$path};
	$checked_paths->{$path} = 1;

	my $path_perm = $rpcenv->permissions($authuser, $path);

	my $toplevel = ($path =~ /^\/(\w+)/) ? $1 : 'dc';
	if ($toplevel eq 'pool') {
	    foreach my $priv (keys %$path_perm) {
		if ($priv =~ m/^VM\./) {
		    $res->{vms}->{$priv} = 1;
		} elsif ($priv =~ m/^Datastore\./) {
		    $res->{storage}->{$priv} = 1;
		} elsif ($priv eq 'Permissions.Modify') {
		    $res->{storage}->{$priv} = 1;
		    $res->{vms}->{$priv} = 1;
		}
	    }
	} else {
	    my $priv_regex = $priv_re_map->{$toplevel} // next;
	    foreach my $priv (keys %$path_perm) {
		next if $priv !~ m/^($priv_regex)/;
		$res->{$toplevel}->{$priv} = 1;
	    }
	}
    }

    return $res;
};

__PACKAGE__->register_method ({
    name => 'get_ticket', 
    path => 'ticket', 
    method => 'GET',
    permissions => { user => 'world' },
    description => "Dummy. Useful for formatters which want to provide a login page.",
    parameters => {
	additionalProperties => 0,
    },
    returns => { type => "null" },
    code => sub { return undef; }});
  
__PACKAGE__->register_method ({
    name => 'create_ticket', 
    path => 'ticket', 
    method => 'POST',
    permissions => { 
	description => "You need to pass valid credientials.",
	user => 'world' 
    },
    protected => 1, # else we can't access shadow files
    description => "Create or verify authentication ticket.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    username => {
	        description => "User name",
	        type => 'string',
	        maxLength => 64,
	        completion => \&PVE::AccessControl::complete_username,
	    },
	    realm =>  get_standard_option('realm', {
		description => "You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>\@<relam>.",
		optional => 1,
		completion => \&PVE::AccessControl::complete_realm,
	    }),
	    password => { 
		description => "The secret password. This can also be a valid ticket.",
		type => 'string',
	    },
	    otp => {
		description => "One-time password for Two-factor authentication.",
		type => 'string',
		optional => 1,
	    },
	    path => {
		description => "Verify ticket, and check if user have access 'privs' on 'path'",
		type => 'string',
		requires => 'privs',
		optional => 1,
		maxLength => 64,
	    },
	    privs => { 
		description => "Verify ticket, and check if user have access 'privs' on 'path'",
		type => 'string' , format => 'pve-priv-list',
		requires => 'path',
		optional => 1,
		maxLength => 64,
	    },
	}
    },
    returns => {
	type => "object",
	properties => {
	    username => { type => 'string' },
	    ticket => { type => 'string', optional => 1},
	    CSRFPreventionToken => { type => 'string', optional => 1 },
	    clustername => { type => 'string', optional => 1 },
	    # cap => computed api permissions, unless there's a u2f challenge
	}
    },
    code => sub {
	my ($param) = @_;
    
	my $username = $param->{username};
	$username .= "\@$param->{realm}" if $param->{realm};

	my $rpcenv = PVE::RPCEnvironment::get();

	my $res;
	eval {
	    # test if user exists and is enabled
	    $rpcenv->check_user_enabled($username);

	    if ($param->{path} && $param->{privs}) {
		$res = &$verify_auth($rpcenv, $username, $param->{password}, $param->{otp},
				     $param->{path}, $param->{privs});
	    } else {
		$res = &$create_ticket($rpcenv, $username, $param->{password}, $param->{otp});
	    }
	};
	if (my $err = $@) {
	    my $clientip = $rpcenv->get_client_ip() || '';
	    syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
	    # do not return any info to prevent user enumeration attacks
	    die PVE::Exception->new("authentication failure\n", code => 401);
	}

	$res->{cap} = &$compute_api_permission($rpcenv, $username)
	    if !defined($res->{U2FChallenge});

	if (PVE::Corosync::check_conf_exists(1)) {
	    if ($rpcenv->check($username, '/', ['Sys.Audit'], 1)) {
		eval {
		    my $conf = cfs_read_file('corosync.conf');
		    my $totem = PVE::Corosync::totem_config($conf);
		    if ($totem->{cluster_name}) {
			$res->{clustername} = $totem->{cluster_name};
		    }
		};
		warn "$@\n" if $@;
	    }
	}

	PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'");

	return $res;
    }});

__PACKAGE__->register_method ({
    name => 'change_password',
    path => 'password', 
    method => 'PUT',
    permissions => { 
	description => "Each user is allowed to change his own password. A user can change the password of another user if he has 'Realm.AllocateUser' (on the realm of user <userid>) and 'User.Modify' permission on /access/groups/<group> on a group where user <userid> is member of.",
	check => [ 'or', 
		   ['userid-param', 'self'],
		   [ 'and',
		     [ 'userid-param', 'Realm.AllocateUser'],
		     [ 'userid-group', ['User.Modify']]
		   ]
	    ],
    },
    protected => 1, # else we can't access shadow files
    description => "Change user password.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid-completed'),
	    password => { 
		description => "The new password.",
		type => 'string',
		minLength => 5, 
		maxLength => 64,
	    },
	}
    },
    returns => { type => "null" },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();

	my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});

	$rpcenv->check_user_exist($userid);

	if ($authuser eq 'root@pam') {
	    # OK - root can change anything
	} else {
	    if ($authuser eq $userid) {
		$rpcenv->check_user_enabled($userid);
		# OK - each user can change its own password
	    } else {
		# only root may change root password
		raise_perm_exc() if $userid eq 'root@pam';
		# do not allow to change system user passwords
		raise_perm_exc() if $realm eq 'pam';
	    }
	}

	PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password});

	PVE::Cluster::log_msg('info', 'root@pam', "changed password for user '$userid'");

	return undef;
    }});

sub get_u2f_config() {
    die "u2f support not available\n" if !$u2f_available;

    my $dc = cfs_read_file('datacenter.cfg');
    my $u2f = $dc->{u2f};
    die "u2f not configured in datacenter.cfg\n" if !$u2f;
    $u2f = PVE::JSONSchema::parse_property_string($PVE::Cluster::u2f_format, $u2f);
    return $u2f;
}

sub get_u2f_instance {
    my ($rpcenv, $publicKey, $keyHandle) = @_;

    # We store the public key base64 encoded (as the api provides it in binary)
    $publicKey = decode_base64($publicKey) if defined($publicKey);

    my $u2fconfig = get_u2f_config();
    my $u2f = PVE::U2F->new();

    # via the 'Host' header (in case a node has multiple hosts available).
    my $origin = $u2fconfig->{origin};
    if (!defined($origin)) {
	$origin = $rpcenv->get_request_host(1);
	if ($origin) {
	    $origin = "https://$origin";
	} else {
	    die "failed to figure out u2f origin\n";
	}
    }

    my $appid = $u2fconfig->{appid} // $origin;
    $u2f->set_appid($appid);
    $u2f->set_origin($origin);
    $u2f->set_publicKey($publicKey) if defined($publicKey);
    $u2f->set_keyHandle($keyHandle) if defined($keyHandle);
    return $u2f;
}

__PACKAGE__->register_method ({
    name => 'change_tfa',
    path => 'tfa',
    method => 'PUT',
    permissions => {
	description => 'A user can change their own u2f token.',
	check => [ 'or',
		   ['userid-param', 'self'],
		   [ 'and',
		     [ 'userid-param', 'Realm.AllocateUser'],
		     [ 'userid-group', ['User.Modify']]
		   ]
	    ],
    },
    protected => 1, # else we can't access shadow files
    description => "Change user u2f authentication.",
    parameters => {
	additionalProperties => 0,
	properties => {
	    userid => get_standard_option('userid', {
		completion => \&PVE::AccessControl::complete_username,
	    }),
	    password => {
		optional => 1, # Only required if not root@pam
		description => "The current password.",
		type => 'string',
		minLength => 5,
		maxLength => 64,
	    },
	    action => {
		description => 'The action to perform',
		type => 'string',
		enum => [qw(delete new confirm)],
	    },
	    response => {
		optional => 1,
		description => 'The response to the current registration challenge.',
		type => 'string',
	    },
	}
    },
    returns => { type => 'object' },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $authuser = $rpcenv->get_user();

	my $action = delete $param->{action};
	my $response = delete $param->{response};
	my $password = delete($param->{password}) // '';

	my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
	$rpcenv->check_user_exist($userid);

	# Only root may modify root
	raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';

	# Regular users need to confirm their password to change u2f settings.
	if ($authuser ne 'root@pam') {
	    raise_param_exc('password' => 'password is required to modify u2f data')
		if !defined($password);
	    my $domain_cfg = cfs_read_file('domains.cfg');
	    my $cfg = $domain_cfg->{ids}->{$realm};
	    die "auth domain '$realm' does not exists\n" if !$cfg;
	    my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
	    $plugin->authenticate_user($cfg, $realm, $ruid, $password);
	}

	if ($action eq 'delete') {
	    PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef);
	    PVE::Cluster::log_msg('info', $authuser, "deleted u2f data for user '$userid'");
	} elsif ($action eq 'new') {
	    my $u2f = get_u2f_instance($rpcenv);
	    my $challenge = $u2f->registration_challenge()
		or raise("failed to get u2f challenge");
	    $challenge = decode_json($challenge);
	    PVE::AccessControl::user_set_tfa($userid, $realm, 'u2f', $challenge);
	    return $challenge;
	} elsif ($action eq 'confirm') {
	    raise_param_exc('response' => "confirm action requires the 'response' parameter to be set")
		if !defined($response);

	    my ($type, $u2fdata) = PVE::AccessControl::user_get_tfa($userid, $realm);
	    raise("no u2f data available")
		if (!defined($type) || $type ne 'u2f');

	    my $challenge = $u2fdata->{challenge}
		or raise("no active challenge");

	    my $u2f = get_u2f_instance($rpcenv);
	    $u2f->set_challenge($challenge);
	    my ($keyHandle, $publicKey) = $u2f->registration_verify($response);
	    PVE::AccessControl::user_set_tfa($userid, $realm, 'u2f', {
		keyHandle => $keyHandle,
		publicKey => encode_base64($publicKey, ''),
	    });
	} else {
	    die "invalid action: $action\n";
	}

	return {};
    }});

__PACKAGE__->register_method({
    name => 'verify_tfa',
    path => 'tfa',
    method => 'POST',
    permissions => { user => 'all' },
    protected => 1, # else we can't access shadow files
    description => 'Finish a u2f challenge.',
    parameters => {
	additionalProperties => 0,
	properties => {
	    response => {
		type => 'string',
		description => 'The response to the current authentication challenge.',
	    },
	}
    },
    returns => {
	type => 'object',
	properties => {
	    ticket => { type => 'string' },
	    # cap
	}
    },
    code => sub {
	my ($param) = @_;

	my $rpcenv = PVE::RPCEnvironment::get();
	my $challenge = $rpcenv->get_u2f_challenge()
	   or raise('no active challenge');
	my $authuser = $rpcenv->get_user();
	my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);

	my ($tfa_type, $u2fdata) = PVE::AccessControl::user_get_tfa($username, $realm);
	if (!defined($tfa_type) || $tfa_type ne 'u2f') {
	    raise('no u2f data available');
	}

	my $keyHandle = $u2fdata->{keyHandle};
	my $publicKey = $u2fdata->{publicKey};
	raise("incomplete u2f setup")
	    if !defined($keyHandle) || !defined($publicKey);

	my $u2f = get_u2f_instance($rpcenv, $publicKey, $keyHandle);
	$u2f->set_challenge($challenge);

	eval {
	    my ($counter, $present) = $u2f->auth_verify($param->{response});
	    # Do we want to do anything with these?
	};
	if (my $err = $@) {
	    my $clientip = $rpcenv->get_client_ip() || '';
	    syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
	    die PVE::Exception->new("authentication failure\n", code => 401);
	}

	# create a new ticket for the user:
	my $ticket_data = "u2f!$authuser!verified";
	return {
	    ticket => PVE::AccessControl::assemble_ticket($ticket_data),
	    cap => &$compute_api_permission($rpcenv, $authuser),
	}
    }});

1;
Commit	Line	Data
2c3a6c0a DM	1	package PVE::API2::AccessControl;
	2
	3	use strict;
	4	use warnings;
	5
2b4c98ab WB	6	use JSON;
	7	use MIME::Base64;
	8
37d45deb	9	use PVE::Exception qw(raise raise_perm_exc);
2c3a6c0a DM	10	use PVE::SafeSyslog;
2c3a6c0a DM	11	use PVE::RPCEnvironment;
a427cecb	12	use PVE::Cluster qw(cfs_read_file);
e842fec5	13	use PVE::Corosync;
2c3a6c0a DM	14	use PVE::RESTHandler;
	15	use PVE::AccessControl;
	16	use PVE::JSONSchema qw(get_standard_option);
	17	use PVE::API2::Domains;
	18	use PVE::API2::User;
	19	use PVE::API2::Group;
	20	use PVE::API2::Role;
	21	use PVE::API2::ACL;
	22
2b4c98ab WB	23	my $u2f_available = 0;
	24	eval {
	25	require PVE::U2F;
	26	$u2f_available = 1;
	27	};
	28
2c3a6c0a DM	29	use base qw(PVE::RESTHandler);
	30
	31	__PACKAGE__->register_method ({
	32	subclass => "PVE::API2::User",
	33	path => 'users',
	34	});
	35
	36	__PACKAGE__->register_method ({
	37	subclass => "PVE::API2::Group",
	38	path => 'groups',
	39	});
	40
	41	__PACKAGE__->register_method ({
	42	subclass => "PVE::API2::Role",
	43	path => 'roles',
	44	});
	45
	46	__PACKAGE__->register_method ({
	47	subclass => "PVE::API2::ACL",
	48	path => 'acl',
	49	});
	50
	51	__PACKAGE__->register_method ({
	52	subclass => "PVE::API2::Domains",
	53	path => 'domains',
	54	});
	55
	56	__PACKAGE__->register_method ({
	57	name => 'index',
	58	path => '',
	59	method => 'GET',
	60	description => "Directory index.",
82b63965 DM	61	permissions => {
	62	user => 'all',
	63	},
2c3a6c0a DM	64	parameters => {
	65	additionalProperties => 0,
	66	properties => {},
	67	},
	68	returns => {
	69	type => 'array',
	70	items => {
	71	type => "object",
	72	properties => {
	73	subdir => { type => 'string' },
	74	},
	75	},
	76	links => [ { rel => 'child', href => "{subdir}" } ],
	77	},
	78	code => sub {
	79	my ($param) = @_;
	80
	81	my $res = [];
	82
	83	my $ma = __PACKAGE__->method_attributes();
	84
	85	foreach my $info (@$ma) {
	86	next if !$info->{subclass};
	87
	88	my $subpath = $info->{match_re}->[0];
	89
	90	push @$res, { subdir => $subpath };
	91	}
	92
	93	push @$res, { subdir => 'ticket' };
37d45deb	94	push @$res, { subdir => 'password' };
2c3a6c0a DM	95
	96	return $res;
	97	}});
	98
adf8d771 DM	99
adf8d771 DM	100	my $verify_auth = sub {
96f8ebd6	101	my ($rpcenv, $username, $pw_or_ticket, $otp, $path, $privs) = @_;
adf8d771 DM	102
	103	my $normpath = PVE::AccessControl::normalize_path($path);
	104
	105	my $ticketuser;
	106	if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&
	107	($ticketuser eq $username)) {
	108	# valid ticket
	109	} elsif (PVE::AccessControl::verify_vnc_ticket($pw_or_ticket, $username, $normpath, 1)) {
	110	# valid vnc ticket
	111	} else {
96f8ebd6	112	$username = PVE::AccessControl::authenticate_user($username, $pw_or_ticket, $otp);
adf8d771 DM	113	}
	114
	115	my $privlist = [ PVE::Tools::split_list($privs) ];
	116	if (!($normpath && scalar(@$privlist) && $rpcenv->check($username, $normpath, $privlist))) {
	117	die "no permission ($path, $privs)\n";
	118	}
	119
	120	return { username => $username };
	121	};
	122
	123	my $create_ticket = sub {
96f8ebd6	124	my ($rpcenv, $username, $pw_or_ticket, $otp) = @_;
adf8d771	125
18f8ba18	126	my ($ticketuser, $u2fdata);
adf8d771 DM	127	if (($ticketuser = PVE::AccessControl::verify_ticket($pw_or_ticket, 1)) &&
	128	($ticketuser eq 'root@pam' \|\| $ticketuser eq $username)) {
	129	# valid ticket. Note: root@pam can create tickets for other users
	130	} else {
18f8ba18 WB	131	($username, $u2fdata) = PVE::AccessControl::authenticate_user($username, $pw_or_ticket, $otp);
	132	}
	133
	134	my %extra;
	135	my $ticket_data = $username;
	136	if (defined($u2fdata)) {
	137	my $u2f = get_u2f_instance($rpcenv, $u2fdata->@{qw(publicKey keyHandle)});
	138	my $challenge = $u2f->auth_challenge()
	139	or die "failed to get u2f challenge\n";
	140	$challenge = decode_json($challenge);
	141	$extra{U2FChallenge} = $challenge;
	142	$ticket_data = "u2f!$username!$challenge->{challenge}";
adf8d771 DM	143	}
adf8d771 DM	144
18f8ba18	145	my $ticket = PVE::AccessControl::assemble_ticket($ticket_data);
adf8d771 DM	146	my $csrftoken = PVE::AccessControl::assemble_csrf_prevention_token($username);
	147
	148	return {
	149	ticket => $ticket,
	150	username => $username,
	151	CSRFPreventionToken => $csrftoken,
18f8ba18	152	%extra,
adf8d771 DM	153	};
	154	};
	155
dd2cfee0 DM	156	my $compute_api_permission = sub {
	157	my ($rpcenv, $authuser) = @_;
	158
	159	my $usercfg = $rpcenv->{user_cfg};
	160
a2c18811 TL	161	my $res = {};
	162	my $priv_re_map = {
	163	vms => qr/VM\.\|Permissions\.Modify/,
	164	access => qr/(User\|Group)\.\|Permissions\.Modify/,
f5848089	165	storage => qr/Datastore\.\|Permissions\.Modify/,
a2c18811 TL	166	nodes => qr/Sys\.\|Permissions\.Modify/,
a2c18811 TL	167	dc => qr/Sys\.Audit/,
dd2cfee0	168	};
a2c18811 TL	169	map { $res->{$_} = {} } keys %$priv_re_map;
	170
	171	my $required_paths = ['/', '/nodes', '/access/groups', '/vms', '/storage'];
	172
	173	my $checked_paths = {};
	174	foreach my $path (@$required_paths, keys %{$usercfg->{acl}}) {
	175	next if $checked_paths->{$path};
	176	$checked_paths->{$path} = 1;
	177
	178	my $path_perm = $rpcenv->permissions($authuser, $path);
	179
	180	my $toplevel = ($path =~ /^\/(\w+)/) ? $1 : 'dc';
	181	if ($toplevel eq 'pool') {
	182	foreach my $priv (keys %$path_perm) {
	183	if ($priv =~ m/^VM\./) {
	184	$res->{vms}->{$priv} = 1;
	185	} elsif ($priv =~ m/^Datastore\./) {
	186	$res->{storage}->{$priv} = 1;
	187	} elsif ($priv eq 'Permissions.Modify') {
	188	$res->{storage}->{$priv} = 1;
	189	$res->{vms}->{$priv} = 1;
	190	}
	191	}
	192	} else {
	193	my $priv_regex = $priv_re_map->{$toplevel} // next;
	194	foreach my $priv (keys %$path_perm) {
	195	next if $priv !~ m/^($priv_regex)/;
	196	$res->{$toplevel}->{$priv} = 1;
	197	}
dd2cfee0 DM	198	}
	199	}
	200
dd2cfee0 DM	201	return $res;
	202	};
	203
39e4e363 DM	204	__PACKAGE__->register_method ({
	205	name => 'get_ticket',
	206	path => 'ticket',
	207	method => 'GET',
	208	permissions => { user => 'world' },
36dd9dbd	209	description => "Dummy. Useful for formatters which want to provide a login page.",
39e4e363 DM	210	parameters => {
	211	additionalProperties => 0,
	212	},
	213	returns => { type => "null" },
	214	code => sub { return undef; }});
	215
2c3a6c0a DM	216	__PACKAGE__->register_method ({
	217	name => 'create_ticket',
	218	path => 'ticket',
	219	method => 'POST',
96919234 DM	220	permissions => {
	221	description => "You need to pass valid credientials.",
	222	user => 'world'
	223	},
2c3a6c0a	224	protected => 1, # else we can't access shadow files
adf8d771	225	description => "Create or verify authentication ticket.",
2c3a6c0a DM	226	parameters => {
	227	additionalProperties => 0,
	228	properties => {
	229	username => {
3a5ae7a0 SI	230	description => "User name",
	231	type => 'string',
	232	maxLength => 64,
	233	completion => \&PVE::AccessControl::complete_username,
2c3a6c0a DM	234	},
	235	realm => get_standard_option('realm', {
	236	description => "You can optionally pass the realm using this parameter. Normally the realm is simply added to the username <username>\@<relam>.",
3e5bfdf6 DM	237	optional => 1,
	238	completion => \&PVE::AccessControl::complete_realm,
	239	}),
2c3a6c0a DM	240	password => {
	241	description => "The secret password. This can also be a valid ticket.",
	242	type => 'string',
	243	},
96f8ebd6 DM	244	otp => {
	245	description => "One-time password for Two-factor authentication.",
	246	type => 'string',
	247	optional => 1,
	248	},
2c3a6c0a	249	path => {
adf8d771	250	description => "Verify ticket, and check if user have access 'privs' on 'path'",
2c3a6c0a DM	251	type => 'string',
	252	requires => 'privs',
	253	optional => 1,
	254	maxLength => 64,
	255	},
	256	privs => {
adf8d771	257	description => "Verify ticket, and check if user have access 'privs' on 'path'",
2c3a6c0a DM	258	type => 'string' , format => 'pve-priv-list',
	259	requires => 'path',
	260	optional => 1,
	261	maxLength => 64,
	262	},
	263	}
	264	},
	265	returns => {
	266	type => "object",
	267	properties => {
2c3a6c0a	268	username => { type => 'string' },
adf8d771 DM	269	ticket => { type => 'string', optional => 1},
adf8d771 DM	270	CSRFPreventionToken => { type => 'string', optional => 1 },
e842fec5	271	clustername => { type => 'string', optional => 1 },
18f8ba18	272	# cap => computed api permissions, unless there's a u2f challenge
2c3a6c0a DM	273	}
	274	},
	275	code => sub {
	276	my ($param) = @_;
	277
	278	my $username = $param->{username};
	279	$username .= "\@$param->{realm}" if $param->{realm};
	280
	281	my $rpcenv = PVE::RPCEnvironment::get();
2c3a6c0a	282
adf8d771	283	my $res;
adf8d771	284	eval {
7070c1ae DM	285	# test if user exists and is enabled
	286	$rpcenv->check_user_enabled($username);
	287
2c3a6c0a	288	if ($param->{path} && $param->{privs}) {
96f8ebd6	289	$res = &$verify_auth($rpcenv, $username, $param->{password}, $param->{otp},
adf8d771	290	$param->{path}, $param->{privs});
2c3a6c0a	291	} else {
96f8ebd6	292	$res = &$create_ticket($rpcenv, $username, $param->{password}, $param->{otp});
2c3a6c0a	293	}
2c3a6c0a DM	294	};
2c3a6c0a DM	295	if (my $err = $@) {
adf8d771	296	my $clientip = $rpcenv->get_client_ip() \|\| '';
2c3a6c0a	297	syslog('err', "authentication failure; rhost=$clientip user=$username msg=$err");
6126ab75	298	# do not return any info to prevent user enumeration attacks
fe2defd9	299	die PVE::Exception->new("authentication failure\n", code => 401);
2c3a6c0a DM	300	}
2c3a6c0a DM	301
18f8ba18 WB	302	$res->{cap} = &$compute_api_permission($rpcenv, $username)
18f8ba18 WB	303	if !defined($res->{U2FChallenge});
dd2cfee0	304
e842fec5 TL	305	if (PVE::Corosync::check_conf_exists(1)) {
e842fec5 TL	306	if ($rpcenv->check($username, '/', ['Sys.Audit'], 1)) {
b27ae8aa TL	307	eval {
	308	my $conf = cfs_read_file('corosync.conf');
	309	my $totem = PVE::Corosync::totem_config($conf);
	310	if ($totem->{cluster_name}) {
	311	$res->{clustername} = $totem->{cluster_name};
	312	}
	313	};
	314	warn "$@\n" if $@;
e842fec5 TL	315	}
	316	}
	317
2c3a6c0a DM	318	PVE::Cluster::log_msg('info', 'root@pam', "successful auth for user '$username'");
2c3a6c0a DM	319
adf8d771	320	return $res;
2c3a6c0a DM	321	}});
2c3a6c0a DM	322
37d45deb	323	__PACKAGE__->register_method ({
765305e2	324	name => 'change_password',
37d45deb DM	325	path => 'password',
37d45deb DM	326	method => 'PUT',
12683df7	327	permissions => {
82b63965	328	description => "Each user is allowed to change his own password. A user can change the password of another user if he has 'Realm.AllocateUser' (on the realm of user <userid>) and 'User.Modify' permission on /access/groups/<group> on a group where user <userid> is member of.",
12683df7 DM	329	check => [ 'or',
12683df7 DM	330	['userid-param', 'self'],
82b63965 DM	331	[ 'and',
	332	[ 'userid-param', 'Realm.AllocateUser'],
	333	[ 'userid-group', ['User.Modify']]
	334	]
12683df7 DM	335	],
12683df7 DM	336	},
37d45deb DM	337	protected => 1, # else we can't access shadow files
	338	description => "Change user password.",
	339	parameters => {
	340	additionalProperties => 0,
	341	properties => {
3a5ae7a0	342	userid => get_standard_option('userid-completed'),
37d45deb DM	343	password => {
	344	description => "The new password.",
	345	type => 'string',
	346	minLength => 5,
	347	maxLength => 64,
	348	},
	349	}
	350	},
	351	returns => { type => "null" },
	352	code => sub {
	353	my ($param) = @_;
	354
	355	my $rpcenv = PVE::RPCEnvironment::get();
	356	my $authuser = $rpcenv->get_user();
	357
	358	my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
	359
12683df7	360	$rpcenv->check_user_exist($userid);
37d45deb DM	361
	362	if ($authuser eq 'root@pam') {
	363	# OK - root can change anything
	364	} else {
	365	if ($authuser eq $userid) {
	366	$rpcenv->check_user_enabled($userid);
	367	# OK - each user can change its own password
	368	} else {
12683df7	369	# only root may change root password
37d45deb	370	raise_perm_exc() if $userid eq 'root@pam';
59321f26 DM	371	# do not allow to change system user passwords
59321f26 DM	372	raise_perm_exc() if $realm eq 'pam';
37d45deb DM	373	}
	374	}
	375
	376	PVE::AccessControl::domain_set_password($realm, $ruid, $param->{password});
	377
	378	PVE::Cluster::log_msg('info', 'root@pam', "changed password for user '$userid'");
	379
	380	return undef;
	381	}});
	382
2b4c98ab WB	383	sub get_u2f_config() {
	384	die "u2f support not available\n" if !$u2f_available;
	385
	386	my $dc = cfs_read_file('datacenter.cfg');
	387	my $u2f = $dc->{u2f};
	388	die "u2f not configured in datacenter.cfg\n" if !$u2f;
	389	$u2f = PVE::JSONSchema::parse_property_string($PVE::Cluster::u2f_format, $u2f);
	390	return $u2f;
	391	}
	392
	393	sub get_u2f_instance {
	394	my ($rpcenv, $publicKey, $keyHandle) = @_;
	395
	396	# We store the public key base64 encoded (as the api provides it in binary)
	397	$publicKey = decode_base64($publicKey) if defined($publicKey);
	398
	399	my $u2fconfig = get_u2f_config();
	400	my $u2f = PVE::U2F->new();
	401
	402	# via the 'Host' header (in case a node has multiple hosts available).
	403	my $origin = $u2fconfig->{origin};
	404	if (!defined($origin)) {
	405	$origin = $rpcenv->get_request_host(1);
	406	if ($origin) {
	407	$origin = "https://$origin";
	408	} else {
	409	die "failed to figure out u2f origin\n";
	410	}
	411	}
	412
	413	my $appid = $u2fconfig->{appid} // $origin;
	414	$u2f->set_appid($appid);
	415	$u2f->set_origin($origin);
	416	$u2f->set_publicKey($publicKey) if defined($publicKey);
	417	$u2f->set_keyHandle($keyHandle) if defined($keyHandle);
	418	return $u2f;
	419	}
	420
	421	__PACKAGE__->register_method ({
	422	name => 'change_tfa',
	423	path => 'tfa',
	424	method => 'PUT',
	425	permissions => {
	426	description => 'A user can change their own u2f token.',
	427	check => [ 'or',
	428	['userid-param', 'self'],
	429	[ 'and',
	430	[ 'userid-param', 'Realm.AllocateUser'],
	431	[ 'userid-group', ['User.Modify']]
	432	]
	433	],
	434	},
	435	protected => 1, # else we can't access shadow files
	436	description => "Change user u2f authentication.",
	437	parameters => {
	438	additionalProperties => 0,
	439	properties => {
	440	userid => get_standard_option('userid', {
	441	completion => \&PVE::AccessControl::complete_username,
	442	}),
	443	password => {
	444	optional => 1, # Only required if not root@pam
	445	description => "The current password.",
	446	type => 'string',
447	minLength => 5,
448	maxLength => 64,
449	},
450	action => {
451	description => 'The action to perform',
452	type => 'string',
453	enum => [qw(delete new confirm)],
454	},
455	response => {
456	optional => 1,
457	description => 'The response to the current registration challenge.',
458	type => 'string',
459	},
460	}
461	},
462	returns => { type => 'object' },
463	code => sub {
464	my ($param) = @_;
465
466	my $rpcenv = PVE::RPCEnvironment::get();
467	my $authuser = $rpcenv->get_user();
468
469	my $action = delete $param->{action};
470	my $response = delete $param->{response};
471	my $password = delete($param->{password}) // '';
472
473	my ($userid, $ruid, $realm) = PVE::AccessControl::verify_username($param->{userid});
474	$rpcenv->check_user_exist($userid);
475
476	# Only root may modify root
477	raise_perm_exc() if $userid eq 'root@pam' && $authuser ne 'root@pam';
478
479	# Regular users need to confirm their password to change u2f settings.
480	if ($authuser ne 'root@pam') {
481	raise_param_exc('password' => 'password is required to modify u2f data')
482	if !defined($password);
483	my $domain_cfg = cfs_read_file('domains.cfg');
484	my $cfg = $domain_cfg->{ids}->{$realm};
485	die "auth domain '$realm' does not exists\n" if !$cfg;
486	my $plugin = PVE::Auth::Plugin->lookup($cfg->{type});
487	$plugin->authenticate_user($cfg, $realm, $ruid, $password);
488	}
489
490	if ($action eq 'delete') {
491	PVE::AccessControl::user_set_tfa($userid, $realm, undef, undef);
492	PVE::Cluster::log_msg('info', $authuser, "deleted u2f data for user '$userid'");
493	} elsif ($action eq 'new') {
494	my $u2f = get_u2f_instance($rpcenv);
495	my $challenge = $u2f->registration_challenge()
496	or raise("failed to get u2f challenge");
497	$challenge = decode_json($challenge);
498	PVE::AccessControl::user_set_tfa($userid, $realm, 'u2f', $challenge);
499	return $challenge;
500	} elsif ($action eq 'confirm') {
501	raise_param_exc('response' => "confirm action requires the 'response' parameter to be set")
502	if !defined($response);
503
504	my ($type, $u2fdata) = PVE::AccessControl::user_get_tfa($userid, $realm);
505	raise("no u2f data available")
506	if (!defined($type) \|\| $type ne 'u2f');
507
508	my $challenge = $u2fdata->{challenge}
509	or raise("no active challenge");
510
511	my $u2f = get_u2f_instance($rpcenv);
512	$u2f->set_challenge($challenge);
513	my ($keyHandle, $publicKey) = $u2f->registration_verify($response);
514	PVE::AccessControl::user_set_tfa($userid, $realm, 'u2f', {
515	keyHandle => $keyHandle,
516	publicKey => encode_base64($publicKey, ''),
517	});
518	} else {
519	die "invalid action: $action\n";
520	}
521
522	return {};
523	}});
524
525	__PACKAGE__->register_method({
526	name => 'verify_tfa',
527	path => 'tfa',
528	method => 'POST',
529	permissions => { user => 'all' },
530	protected => 1, # else we can't access shadow files
531	description => 'Finish a u2f challenge.',
532	parameters => {
533	additionalProperties => 0,
534	properties => {
535	response => {
536	type => 'string',
537	description => 'The response to the current authentication challenge.',
538	},
539	}
540	},
541	returns => {
542	type => 'object',
543	properties => {
544	ticket => { type => 'string' },
545	# cap
546	}
547	},
548	code => sub {
549	my ($param) = @_;
550
551	my $rpcenv = PVE::RPCEnvironment::get();
552	my $challenge = $rpcenv->get_u2f_challenge()
553	or raise('no active challenge');
554	my $authuser = $rpcenv->get_user();
555	my ($username, undef, $realm) = PVE::AccessControl::verify_username($authuser);
556
557	my ($tfa_type, $u2fdata) = PVE::AccessControl::user_get_tfa($username, $realm);
558	if (!defined($tfa_type) \|\| $tfa_type ne 'u2f') {
559	raise('no u2f data available');
560	}
561
562	my $keyHandle = $u2fdata->{keyHandle};
563	my $publicKey = $u2fdata->{publicKey};
564	raise("incomplete u2f setup")
565	if !defined($keyHandle) \|\| !defined($publicKey);
566
567	my $u2f = get_u2f_instance($rpcenv, $publicKey, $keyHandle);
568	$u2f->set_challenge($challenge);
569
570	eval {
571	my ($counter, $present) = $u2f->auth_verify($param->{response});
572	# Do we want to do anything with these?
573	};
574	if (my $err = $@) {
575	my $clientip = $rpcenv->get_client_ip() \|\| '';
576	syslog('err', "authentication verification failure; rhost=$clientip user=$authuser msg=$err");
577	die PVE::Exception->new("authentication failure\n", code => 401);
578	}
579
580	# create a new ticket for the user:
581	my $ticket_data = "u2f!$authuser!verified";
582	return {
583	ticket => PVE::AccessControl::assemble_ticket($ticket_data),
584	cap => &$compute_api_permission($rpcenv, $authuser),
585	}
586	}});
587
2c3a6c0a	588	1;